Apart from the patient himself, only clinicians may have access to personal
health information. The reasons for placing the trust perimeter at the
professional boundary are both traditional and practical: the clinical
professions do not consider the mechanisms of the civil and criminal law to
give adequate protection. If a doctor gave a record to a social worker who then
passed it to a third party without consent --- or merely kept it in an insecure
local council computer system which was hacked --- then the doctor could still
be liable, and might have no recourse.

In effect, only clinicians are trusted to enforce the principle of informed
consent, and control of any identifiable clinical record must lie with the
individual clinician who is responsible. This might be a patient's GP, or the
consultant in charge of a hospital department.

Principle 3: One of the clinicians on the access control list
must be marked as being responsible. Only she may alter the access control
list, and she may only add other health care professionals to it.

Where access has been granted to administrators, as in the USA, the result has
been abuse. In the UK, the tension between clinical confidentiality and
administrative `need-to-know' has been assuaged by regulations that purchasing
organisations must have `safe-havens' --- protected spaces under the control of
an independent clinician --- to which copies of records may be sent if there is
an administrative dispute [NHS92]. Administrative systems that might handle
personal health information must support safe-haven procedures; for example,
the clinical parts of patient records might be encrypted in such a way that
only the clinician in charge of the safe-haven could decrypt them. Such systems
must also abide by the Joint Computer Group guidelines mentioned above [JCG88].

When information is sought by, and may lawfully be provided to, a third party
such as a social worker, a lawyer, a police or security service officer, an
insurance company or an employer, then the information must be provided on
paper. This reflects current practice: in the community care scenario mentioned
above, records shared between doctors, nurses and social workers were kept on
paper rather than on a database because of security concerns.

It should also be borne in mind that computer records are not usable as
evidence unless they come with a paper certificate signed by the system owner
or operator; direct electronic access is of little evidential value, and a
signed statement on paper can best satisfy a bona fide requirement for
evidence.